-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/30/2013 11:43 AM, Dominick Grift wrote: > On Wed, 2013-10-30 at 11:13 -0400, Daniel J Walsh wrote: >> On 10/30/2013 10:11 AM, Matthew Miller wrote: >>> There is some concern on the devel mailing list about user-writable >>> directories in the default $PATH -- initially discussion about >>> ~/.local/bin as a hidden file, but now also out to ~/bin as well. I >>> notice that these are home_bin_t. What does this do with the current >>> policy, and what more could we do? (Particularly, a compromised >>> application shouldn't be able to put binaries there, but a shell script >>> or something like `pip install` probably _should_ be able to.) >>> >> I responded on the other email on what these labels do. >> >> Confining user space is difficult, since most people do not want stuff >> to break and blocking apps from writing general places in the homedir is >> difficult. >> >> I think the future with confined applications where the application runs >> within a container and does not get direct access to the users homedir is >> the only way to handle this. > > Difficult: sure, impossible: i do not think so. > > I have proof that it is possible, if one sets clear goals, boundaries, and > realistic expectations. > > I do not think containers are a silver bullet, and that MCS is a solution > to all problems. > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > Well in this case I would like to potentially run these container/apps with Types like firefox_t and ooffice_t, but more generically with app_t where app_t is not allowed to touch user_home_t. But we are going far a field of this email chain, and we can revisit this when we actually have applications containers. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJxK14ACgkQrlYvE4MpobOdVwCfYeAIAsaqDPi71RuvfmeqY54B hcgAn0ufeGqXYggf4F3EYbDo/YVZPIFw =z5I7 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
